Abstract
This paper presents KJS, the most complete and throughly tested formal semantics of JavaScript to date. Being executable, KJS has been tested against the ECMAScript 5.1 conformance test suite, and passes all 2,782 core language tests. Among the existing implementations of JavaScript, only Chrome V8's passes all the tests, and no other semantics passes more than 90%. In addition to a reference implementation for JavaScript, KJS also yields a simple coverage metric for a test suite: the set of semantic rules it exercises. Our semantics revealed that the ECMAScript 5.1 conformance test suite fails to cover several semantic rules. Guided by the semantics, we wrote tests to exercise those rules. The new tests revealed bugs both in production JavaScript engines (Chrome V8, Safari WebKit, Firefox SpiderMonkey) and in other semantics. KJS is symbolically executable, thus it can be used for formal analysis and verification of JavaScript programs. We verified non-trivial programs and found a known security vulnerability.
- E. Arvidsson. V8 Issue 2243. https://code.google.com/p/v8/ issues/detail?id=2243, 2012. Accessed: April 22, 2015.Google Scholar
- S. Bandhakavi, S. T. King, P. Madhusudan, and M. Winslett. VEX: Vetting Browser Extensions for Security Vulnerabilities. In USENIX Security, pages 22–22. USENIX, 2010. Google Scholar
Digital Library
- M. Bodin, A. Chargueraud, D. Filaretti, P. Gardner, S. Maffeis, D. Naudziuniene, A. Schmitt, and G. Smith. A Trusted Mechanised JavaScript Specification. In POPL, pages 87–100. ACM, 2014. Google Scholar
Digital Library
- D. Bogdanas and G. Rosu. K-Java: A Complete Semantics of Java. In POPL, pages 445–456. ACM, 2015. Google Scholar
Digital Library
- D. Bruant. ECMAScript Bug 56. https://bugs.ecmascript.org/ show_bug.cgi?id=56#c3, 2011. Accessed: April 22, 2015.Google Scholar
- D. Bruant. Mozilla Bug 641214. https://bugzilla.mozilla. org/show_bug.cgi?id=641214, 2011. Accessed: April 22, 2015.Google Scholar
- M. Chevalier-Boisvert, E. Lavoie, M. Feeley, and B. Dufour. Bootstrapping a Self-hosted Research Virtual Machine for JavaScript: An Experience Report. In Proceedings of the 7th Symposium on Dynamic Languages, pages 61–72. ACM, 2011. Google Scholar
Digital Library
- D. Crockford. JavaScript: The Good Parts. O’Reilly Media, 2008. Google Scholar
Digital Library
- L. de Moura and N. Bjørner. Z3: An Efficient SMT Solver. In TACAS, volume 4963, pages 337–340. LNCS, 2008. Google Scholar
Digital Library
- Ecma TC39. ECMAScript Harmony. https://mail.mozilla.org/ pipermail/es-discuss/2008-August/003400.html, 2008. Accessed: April 22, 2015.Google Scholar
- Ecma TC39. Standard ECMA-262 ECMAScript Language Specification Edition 5.1, June 2011.Google Scholar
- Ecma TC39. Draft Specification of ECMA-262 6th Edition. http://wiki.ecmascript.org/doku.php?id=harmony: specification_drafts, 2014. Accessed: April 22, 2015.Google Scholar
- Ecma TC39. TC39 Meeting Minutes. https://github.com/ rwaldron/tc39-notes/blob/master/es6/2014-09/sept-23. md#somehow-we-started-talking-about-test262, 2014.Google Scholar
- Accessed: April 22, 2015.Google Scholar
- Ecma TC39. Test262: ECMAScript Language Conformance Test Suite. http://test262.ecmascript.org, 2014. Accessed: April 22, 2015.Google Scholar
- C. Ellison and G. Rosu. An Executable Formal Semantics of C with Applications. In POPL, pages 533–544. ACM, 2012. Google Scholar
Digital Library
- D. Filaretti and S. Maffeis. An Executable Formal Semantics of PHP. In ECOOP, volume 8586, pages 567–592. LNCS, 2014.Google Scholar
- C. Fournet, N. Swamy, J. Chen, P.-E. Dagand, P.-Y. Strub, and B. Livshits. Fully Abstract Compilation to JavaScript. In POPL, pages 371–384. ACM, 2013. Google Scholar
Digital Library
- P. A. Gardner, S. Maffeis, and G. D. Smith. Towards a Program Logic for JavaScript. In POPL, pages 31–44. ACM, 2012. Google Scholar
Digital Library
- S. Ghosh, D. Elenius, W. Li, P. Lincoln, N. Shankar, and W. Steiner. Automatically Extracting Requirements Specifications from Natural Language. CoRR, abs/1403.3142, 2014.Google Scholar
- S. Guarnieri and B. Livshits. GATEKEEPER: Mostly Static Enforcement of Security and Reliability Policies for Javascript Code. In USENIX Security, pages 151–168. USENIX, 2009. Google Scholar
Digital Library
- S. Guarnieri, M. Pistoia, O. Tripp, J. Dolby, S. Teilhet, and R. Berg. Saving the World Wide Web from Vulnerable JavaScript. In ISSTA, pages 177–187. ACM, 2011. Google Scholar
Digital Library
- A. Guha, S. Krishnamurthi, and T. Jim. Using Static Analysis for Ajax Intrusion Detection. In WWW, pages 561–570. ACM, 2009. Google Scholar
Digital Library
- A. Guha, C. Saftoiu, and S. Krishnamurthi. The Essence of Javascript. In ECOOP, volume 6183, pages 126–150. LNCS, 2010. Google Scholar
Digital Library
- D. Guth. A Formal Semantics of Python 3.3. Master’s thesis, University of Illinois at Urbana-Champaign, July 2013.Google Scholar
- D. Herman and C. Flanagan. Status Report: Specifying Javascript with ML. In Proceedings of the 2007 Workshop on Workshop on ML, pages 47–52. ACM, 2007. Google Scholar
Digital Library
- D. Herman, L. Wagner, and A. Zakai. asm.js. http://asmjs.org, 2014. Accessed: April 22, 2015.Google Scholar
- V. Kashyap, K. Dewey, E. A. Kuefner, J. Wagner, K. Gibbons, J. Sarracino, B. Wiedermann, and B. Hardekopf. JSAI: A Static Analysis Platform for JavaScript. In FSE, pages 121–132. ACM, 2014. Google Scholar
Digital Library
- H. Lee, S. Won, J. Jin, J. Cho, and S. Ryu. SAFE: Formal Specification and Implementation of a Scalable Analysis Framework for ECMAScript. In Proceedings of the 2012 International Workshop on Foundations of Object-Oriented Languages. ACM, 2012.Google Scholar
- S. Maffeis, J. C. Mitchell, and A. Taly. An Operational Semantics for JavaScript. In APLAS, volume 5356, pages 307–325. LNCS, 2008. Google Scholar
Digital Library
- Mean.io. MEAN: A Fullstack Javascript Framework. http://mean. io/, 2014. Accessed: April 22, 2015.Google Scholar
- J. Meseguer. Conditional Rewriting Logic as a Unified Model of Concurrency. Theoretical Computer Science, 96(1):73–155, 1992. Google Scholar
Digital Library
- M. Nordio, C. Calcagno, and C. A. Furia. Javanni: A Verifier for JavaScript. In Fundamental Approaches to Software Engineering, volume 7793, pages 231–234. LNCS, 2013. Google Scholar
Digital Library
- J. Orendorff. Mozilla Bug 779682. https://bugzilla.mozilla. org/show_bug.cgi?id=779682, 2012. Accessed: April 22, 2015.Google Scholar
- D. Park. WebKit Bug 138859, 138858; V8 Issue 3704; ECMA-262 Bug 3427, 3426; S5 Issues 55, 57, 59. https://bugs.webkit.org/show_bug.cgi?id=138859, https://bugs.webkit.org/show_bug.cgi?id=138858, https://code.google.com/p/v8/issues/detail?id=3704, https://bugs.ecmascript.org/show_bug.cgi?id=3427, https://bugs.ecmascript.org/show_bug.cgi?id=3426, https://github.com/brownplt/LambdaS5/issues/55, https://github.com/brownplt/LambdaS5/issues/57, https://github.com/brownplt/LambdaS5/issues/59, 2014.Google Scholar
- Accessed: April 22, 2015.Google Scholar
- D. Park and A. Stefanescu. Supplementary material. https:// github.com/kframework/javascript-semantics, 2014.Google Scholar
- Accessed: April 22, 2015.Google Scholar
- J. G. Politz, S. A. Eliopoulos, A. Guha, and S. Krishnamurthi. ADsafety: Type-based Verification of JavaScript Sandboxing. In USENIX Security, pages 12–12. USENIX, 2011. Google Scholar
Digital Library
- J. G. Politz, M. J. Carroll, B. S. Lerner, J. Pombrio, and S. Krishnamurthi. A Tested Semantics for Getters, Setters, and Eval in JavaScript. In Proceedings of the 8th Symposium on Dynamic Languages, pages 1–16. ACM, 2012. Google Scholar
Digital Library
- J. Regehr, Y. Chen, P. Cuoq, E. Eide, C. Ellison, and X. Yang. Test-case Reduction for C Compiler Bugs. In PLDI, pages 335–346. ACM, 2012. Google Scholar
Digital Library
- G. Rosu and T. F. Serbanuta. An Overview of the K Semantic Framework. Journal of Logic and Algebraic Programming, 79(6): 397–434, 2010.Google Scholar
- G. Rosu and A. Stefanescu. Checking Reachability Using Matching Logic. In OOPSLA, pages 555–574. ACM, 2012. Google Scholar
Digital Library
- M. Samuel. Properties of Interpreters or the Browser Environment that allow Privilege Escalation. https://code.google.com/p/ google-caja/wiki/AttackVectors, 2009. Accessed: April 22, 2015.Google Scholar
- M. Samuel. Attack Vectors: Global Object Poisoning. https://code. google.com/p/google-caja/wiki/GlobalObjectPoisoning, 2009. Accessed: April 22, 2015.Google Scholar
- T. F. Serbanuta, A. Arusoaie, D. Lazar, C. Ellison, D. Lucanu, and G. Rosu. The K Primer (version 3.3). In Proceedings of the Second International Workshop on the K Framework and its Applications, volume 304, pages 57–80. ENTCS, 2013.Google Scholar
- G. Smith. ECMA-262 Bug 1444. https://bugs.ecmascript.org/ show_bug.cgi?id=1444, 2013. Accessed: April 22, 2015.Google Scholar
- A. Taly, U. Erlingsson, J. C. Mitchell, M. S. Miller, and J. Nagra. Automated Analysis of Security-Critical JavaScript APIs. In S&P (Oakland), pages 363––378. IEEE, 2011. Google Scholar
Digital Library
- A. Zakai. Emscripten: An LLVM-to-JavaScript Compiler. In SPLASH, pages 301–312. ACM, 2011. Google Scholar
Digital Library
Index Terms
KJS: a complete formal semantics of JavaScript
Recommendations
K-Java: A Complete Semantics of Java
POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesThis paper presents K-Java, a complete executable formal semantics of Java 1.4. K-Java was extensively tested with a test suite developed alongside the project, following the Test Driven Development methodology. In order to maintain clarity while ...
KJS: a complete formal semantics of JavaScript
PLDI '15: Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and ImplementationThis paper presents KJS, the most complete and throughly tested formal semantics of JavaScript to date. Being executable, KJS has been tested against the ECMAScript 5.1 conformance test suite, and passes all 2,782 core language tests. Among the ...
Mutode: generic JavaScript and Node.js mutation testing tool
ISSTA 2018: Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and AnalysisMutation testing is a technique in which faults (mutants) are injected into a program or application to assess its test suite effectiveness. It works by inserting mutants and running the application’s test suite to identify if the mutants are detected (...






Comments